Let’s Encrypt for Windows 10
In this guide I will show you how to generate an SSL certificate using only Windows 10. Note — this guide does not cover renewals or automation, yet.
This article assumes you have some prior knowledge in the following
- DNS Records
- Windows Features
- SSL certificate
Recently, I have been faced with generating temporary SSL certificates for internal web servers . For this, Let’s Encrypt offers a great solution. Free 90-day certificates… with a caveat. Little to no official support for Windows operating systems.
Fortunately, Windows 10 Anniversary Update (1607) brings a new feature, aptly titled Bash on Ubuntu on Windows. This feature gives Windows a Bash terminal and Linux environment which you can run most Linux command-line tools, without the need for a Linux virtual machine!
Let’s Encrypt recommends the tool Certbot by EFF to generate, install and automate renewals. In the steps below, I show you how to generate the certificate files using this tool, for use in a web server of your choice.
Lets get started…
First things first, installing Bash on Ubuntu on Windows. I won’t be covering how to do this here, but you can follow this easy 5-step tutorial from MSDN.
Let’s Encrypt offers multiple methods for domain validation. In this example, we will be using a DNS Challenge. This involves modifying your DNS Zone to include a TXT record with a random string generated by Certbot, ensuring the request is for a domain you own.
Run the following commands in your Bash terminal.
Note — you may need to prefix each command with sudo.
Add the Certbot repository
Update package lists to include our new repository
Download & Install Certbot
apt-get install certbot
Now, we have installed Certbot, but how do we use it?
Generate the certificate
certbot -d secure.mydomain.com --manual --preferred-challenges dns certonly
Breaking it down
-d — Your domain
-manual — Provides manual instructions for obtaining a certificate
-preferred-challenges — Challenge type. In this example, we will be using the DNS challenge, as explained earlier in the article.
We’re asked “Are you OK with your IP being logged?”
Type Y and Enter to continue
The DNS Challenge
Go ahead and create this record in your public DNS zone. Here’s what mine looks like, using my providers CPanel interface.
Important — Before pressing enter, you will need to verify the TXT record is valid and reachable. Due to the nature of DNS this can take anywhere from 5 minutes, to an hour.
Validate the record
Run the following from Command Prompt on your Windows device
NSLookup.exe -q=TXT _acme-challenge.secure.mydomain.com
Now our record is active, Press Enter
Certbot will verify your DNS entry and upon success, will provide you with a valid 90-day SSL certificate. Now we have our certificate, we can export it to a format suitable for the web server.
Exporting the certificate
In this example, I will be installing the certificate into an IIS web server, which requires a PFX Certificate. PFX Certificates contain both the public and private key in a single file. We can do this using the OpenSSL package.
sudo apt-get install openssl
Now, with the OpenSSL package installed run the command
Important — Ensure your working directory is:
openssl pkcs12 -export -out /tmp/certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
Now we have our PFX certificate at /tmp/certificate.pfx, we can move it somewhere accessible by our Windows device. I made a folder at C:\tmp, where I will copy the certificate to, using the command
cp /tmp/certificate.pfx /mnt/c/tmp
Congratulations, you now have a valid SSL certificate acessible and ready to use, all from your Windows device.